Single sign-on for managed mobile devices

ABSTRACT

Disclosed are various examples for single-sign on by way of managed mobile devices. For example, an identity provider service can receive a request for an identity assertion from an application executed in a client device. The identity provider service can then detect a platform associated with the client device. A response to the request can be sent based at least in part on the platform, where the response requests authentication by a management credential. Data generated by the management credential is received from the client device, and the management credential is determined to be valid for the identity assertion. The identity assertion is then sent to the client device in response to determining that the management credential is valid for the identity assertion.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is related to U.S. patent application entitled “SINGLESIGN-ON FOR MANAGED MOBILE DEVICES” and filed on Jun. 15, 2015, andassigned application Ser. No. 14/739,980, U.S. patent applicationentitled “SINGLE SIGN-ON FOR UNMANAGED MOBILE DEVICES” and filed on Jun.15, 2015, and assigned application Ser. No. 14/739,983, and U.S. patentapplication entitled “SINGLE SIGN-ON FOR UNMANAGED MOBILE DEVICES” andfiled Jun. 15, 2015, and assigned application Ser. No. 14/739,972, whichare incorporated herein by reference in their entirety.

BACKGROUND

Users may have many different accounts for a multitude of applicationsand services. Examples of applications and services may include socialnetworking services, file sharing services, email services, voicecommunication services, office productivity services, task trackingservices, and still others. A user may have to establish a correspondingusername and password to authenticate for each account. This becomes adifficult and inconvenient practice where numerous accounts areinvolved. Accordingly, users may set weak passwords that are short orotherwise easy to remember, share passwords among multiple accounts, usethird-party password managers, or engage in other practices that mightbe regarded as insecure.

The concept of identity federation arose as a solution to this problem.Under identity federation, a user establishes an account with afederated identity provider. To this end, the user specifies a singleset of security credentials. The federated account is then linked to amultiplicity of applications and services that are provided by otherorganizations. When the user seeks to access applications and servicesthat are linked to the federated account, the user can simply providethe single username, password, or other credentials of the federatedaccount for authentication. In like manner, an organization such as anenterprise may use a directory service such as ACTIVE DIRECTORY byMICROSOFT CORPORATION in order to provide a single log-in for each ofmultiple applications and services of the organization.

Despite the availability of identity federation, the end user experiencemay still be suboptimal. Even assuming that users are able to employ asingle federated account for multiple applications and services, theusers may be required to enter the federated account credentialsseparately. For example, suppose that a user logs in with a socialnetworking application provided by a social networking service providerthat is also a federated identity provider. Subsequently, the user maywant to use a file sharing application that is linked to the federatedidentity provider. The user may then have to supply the same usernameand password that was previously entered for the social networkingapplication. Repetitively entering these security credentials for eachapplication and service may frustrate users.

BRIEF DESCRIPTION OF THE DRAWINGS

Many aspects of the present disclosure can be better understood withreference to the following drawings. The components in the drawings arenot necessarily to scale, with emphasis instead being placed uponclearly illustrating the principles of the disclosure. Moreover, in thedrawings, like reference numerals designate corresponding partsthroughout the several views.

FIG. 1 is a drawing illustrating an example scenario of the disclosure.

FIG. 2 is a drawing of a networked environment according to variousexamples of the disclosure.

FIG. 3 is a sequence diagram illustrating an example componentinteraction according to various examples of the present disclosure.

FIGS. 4-8 are flowcharts illustrating examples of functionalityaccording to various examples of the present disclosure.

DETAILED DESCRIPTION

The present disclosure relates to providing a single sign-on experiencefor users of mobile devices. With a single sign-on experience, a userenters or obtains a single set of security credentials for an accountand, upon authentication, the user is able to access multiple differentapplications and services that are linked to that account. Multi-factorauthentication can also be employed where the user is required toprovide a combination of knowledge, possession, or biometricauthentication factors. As contemplated herein, the term “singlesign-on” can include scenarios in which a user is required to re-entersecurity credentials due to session timeouts, inactivity periods,suspicious activities, or other events that could cause authenticationof the user to be doubted.

In the context of a web browser, a single sign-on experience can beenabled by way of cookies. In response to a user logging in with afederated identity provider, a cookie can be stored on the user's devicethat contains a token indicating authentication. When the user lateraccesses another network site that supports authentication by way of thefederated identity provider, the cookie is presented and the token canbe exchanged for a site-specific token. Consequently, the user does nothave to log in again to access the network site.

However, the single sign-on design paradigm from the browser contextdoes not function in the context of mobile applications. Although mobileapplications can invoke web views, cookies that are part of a web viewinvoked within a mobile application cannot be accessed in other mobileapplications or by a browser. Even assuming that a user logs into afederated account by way of a first mobile application, the cookies andapplication tokens that indicate successful authentication are not madeavailable to a second mobile application because they can have separatewebviews. As will be described, various implementations of the presentdisclosure facilitate single sign-on within mobile applications andother applications that embody this limitation. Moreover, according tothe present disclosure, the requirement to use a particular softwaredevelopment kit (SDK) for each application in order to implement singlesign-on can be rendered unnecessary.

Specifically, in the present disclosure, examples are disclosed thatenable a single sign-on experience for mobile devices that are managed.With reference to FIG. 1, shown is a pictorial diagram of an examplesingle sign-on scenario 100. At 101, a user launches a managementapplication that can manage applications upon the user's mobile device.The management application can be a native mobile application or aweb-based management application accessed from a browser. The managementapplication renders a user interface configured to receive logininformation for a device management service. Specifically in thisexample, the user interface includes a form configured to receive ausername and a password. Other security credentials or authenticationfactors can be elicited in other examples. After the user enters theinformation, the user selects a log-in entry component.

Upon entering correct log-in information, the user is authenticated, andthe user interface can then be updated to indicate to the user that thelog-in was successful at 102. Subsequently, the user can launch oraccess other managed applications on the mobile device, such as a socialnetworking application at 103, an email application at 104, or a filesharing application 105. These applications can communicate with anexternal service. Because the user has already been authenticatedthrough the device management application, these applications indicatethat the user is already authenticated. Consequently, the user does nothave to provide login information for the applications separately, andthe user is able to use the services accessed through the respectiveapplications.

With reference to FIG. 2, shown is a networked environment 200 accordingto various examples. The networked environment 200 includes a clientdevice 203, a device management service 204, an identity provider 206,and a plurality of service providers 209 a . . . 209N, which can be indata communication with one another over the network 212. The network212 includes, for example, the Internet, one or more intranets,extranets, wide area networks (WANs), local area networks (LANs), wirednetworks, wireless networks, other suitable networks, or any combinationof two or more such networks. For example, the networks can includesatellite networks, cable networks, Ethernet networks, and other typesof networks.

The device management service 204, the identity provider 206, and theservice providers 209 can include, for example, a server computer or anyother system providing computing capabilities. Alternatively, the devicemanagement service 204, the identity provider 206, and the serviceproviders 209 can employ multiple computing devices that can bearranged, for example, in one or more server banks, computer banks, orother arrangements. The computing devices can be located in a singleinstallation or can be distributed among many different geographicallocations. For example, the device management service 204, the identityprovider 206, and the service providers 209 can include multiplecomputing devices that together form a hosted computing resource, a gridcomputing resource, or any other distributed computing arrangement. Insome cases, the device management service 204, the identity provider206, and the service providers 209 can operate as at least a portion ofan elastic computing resource where the allotted capacity of processing,network, storage, or other computing-related resources can vary overtime. The device management service 204, the identity provider 206 andthe service providers 209 can also include or be operated as one or morevirtualized computer instances. Generally, the device management service204, the identity provider 206 and the service providers 209 can beoperated in accordance with particular security protocols such that theyare considered trusted computing environments.

The device management service 204 can manage or oversee the operation ofmultiple client devices 203. In some examples, an enterprise, such asone or more companies or other organizations, can operate the devicemanagement service 204 to oversee or manage the operation of the clientdevices 203 of employees, contractors, or other users within anenterprise environment. In this sense, the client devices 203 caninclude managed devices that are managed by the device managementservice 204.

To facilitate management of client devices 203, the device managementservice 204 can establish a secure communications channel with theclient devices 203 (e.g., a mobile device management channel, or MDMchannel). The device management service 204 can establish the securecommunications channel by creating a secure communication link with theclient device 203. A secure communication link can be established usingMDM application programming interfaces (APIs) that are provided by anoperating system executed by the client device 203. In some examples,the secure communications channel can be established using a pushnotifications framework or notification service provided by an operatingsystem ecosystem associated with the client device 203 that allows forcommunications between the device management service 204 and a clientdevice 203 over the network 212 that are encrypted using a digitalcertificate.

The client device 203 can be enrolled as a managed device with thedevice management service 204 through APIs provided by the operatingsystem. The enrollment process can include authentication of a user'scredentials. Upon authentication of a user's credentials by the devicemanagement service 204, the client device 203, using the MDM APIs of theoperating system, can enroll the client device 203 as a managed deviceso that various management functions can be securely performed over thesecure communications channel.

Examples of management functions can include commands to erase certaindata from the client device 203, commands to install certainapplications or application updates, commands to lock a client device203 or activate a display lock feature, a command to remotely perform afactory reset of the client device 203, or other management functions.Additionally, data can be securely transmitted through the securecommunications channel to the client device 203 or applications executedby the client device 203.

Additionally, the operating system of the client device 203 can alsoprovide the ability to create access-restricted storage that isassociated with particular applications installed on the client device203. Access-restricted storage can be associated with multipleapplications that are installed on the client device 203 through thesecure communications channel. In some scenarios, applications that aresigned by a common certificate can be provided access to theaccess-restricted storage of each other, whereas applications that arenot signed by the certificate do not have access to theaccess-restricted storage of other applications. Additionally, thedevice management service 204 can transmit data to the client device 203over the secure communications channel that can be stored in theaccess-restricted storage such that it is accessible by certainapplications and inaccessible to other applications that are installedon the client device 203.

The secure communications channel can be encrypted or secured using adigital certificate that is associated with the client device 203, thedevice management service 204, or an enterprise with which the clientdevice 203 is associated. In one scenario, the device management service204 can obtain a security certificate, such as a secure sockets layer(SSL) certificate, that is unique to a particular enterprise with whicha client device 203 is associated. In one example, an administratorassociated with the enterprise can provide a certificate to the devicemanagement service 204 using an administrator console or otherfunctionality with which a certificate can be uploaded. The certificatecan also be signed by a certificate authority, which can in some casesbe operated by the device management service 204. The device managementservice 204 can encrypt or secure the secure communications channelusing the certificate so that the secure communications channel is asecure communication link over the network 212 through which data can besent to the client device 203.

Additionally, the device management service 204 can specify that datasent through the secure communications channel can only be accessed bycertain applications installed on the client device 203. Theapplications that can access data sent through the secure communicationschannel can also be restricted in how certain data can be manipulated,viewed or handled on the client device 203. For example, an applicationinstalled on the client device 203 can be coded to restrict the abilityof a user to capture, share, or otherwise remove data from the clientdevice 203 that is received through the secure communications channel.

The device management service 204 can also facilitate ensuring thatclient devices 203 that are administered by the device managementservice 204 are operating in compliance with various compliance rules.In one scenario, the device management service 204 can issue managementcommands that instruct a client device 203 to take a particular actionwith respect to a compliance rule. For example, if a client device 203is designated as lost or stolen, the device management service 204 canissue a command instructing the client device 203 to erase data andapplications that were previously sent to the client device 203 throughthe secure communications channel or other communication links andotherwise stored on the client device 203. The device management service204 can also obtain data from a third party computing environment, suchas an application, a security code, authentication token, or other data.As another example, if the device management service 204 determines thata client device 203 has violated a compliance rule with respect tohaving unauthorized modifications or unauthorized applications installedon the client device 203, the device management service 204 can issue acommand instructing the client device 203 to erase data and applicationsstored on the client device 203. As a further example, the devicemanagement service 204 can also issue a command instructing the clientdevice 203 to activate a display lock of the client device 203 thatrequires a user to enter a personal identification number (PIN) in orderto use the client device 203.

The data stored in the management data store 213 and available to thedevice management service 204 includes, for example, authenticationdata, compliance rules, device data, and potentially other data. Theauthentication data can include data used to verify one or more securitycredentials presented by a user for authentication. To this end, securecertificates can be stored and then be made available to the clientdevice 203 that has been authenticated in order to encrypt the securecommunications channel and/or for other functions.

Within the context of an enterprise, compliance rules include one ormore rules that, when violated, can cause the device management service204 to issue a management command. Compliance rules can include a listof unauthorized hardware functions, software functions, or applicationsthat potentially pose a threat to enterprise data or to the use ofenterprise applications. As noted above, if client device 203 falls outof compliance with one or more compliance rules, a management commandcan be transmitted to the client device 203 instructing the clientdevice 203 to perform one or more actions specified by the compliancerule. Alternatively, a compliance rule can also reside on the clientdevice 203, which can self-enforce compliance rules. The management datastore 213 can also include user account data. User account data caninclude information with which a user account can be authenticated, suchas user credentials. User account data can also include data such asemail, contact, calendar data, documents, files or other data that isassociated with a user account.

Device data can represent data stored in the management data store 213that is associated with client devices 203 that are enrolled with thedevice management service 204 as managed devices. Device data caninclude a unique device identifier associated with the client device203, device policies that are associated with a particular client device203, status information associated with a particular client device 203,and other data that facilitates management of the client device 203 bythe device management service 204. Device data can also include userdata that is synchronized with a particular client device 203. A useraccount can be associated with multiple client devices 203. Differentclient devices 203 associated with a user account can have differentuser account data stored thereon. For example, a user's smartphone canhave a certain number of documents or email messages stored on thedevice, whereas the user's laptop or tablet can have varying amounts oftypes of user account data stored on the device.

The identity provider 206 can provide a federated identity service onbehalf of the service providers 209. To this end, the identity provider206 can be in communication with an identity data store 215 that storesinformation associated with user identities. This information caninclude, for example, usernames, security credentials, biometricidentity information, authorized client applications, unauthorizedclient applications, authorized client devices 203, unauthorized clientdevices 203, and so on. As will be described, users are able toauthenticate by way of the identity provider 206 in order to accessservices provided by the multiple service providers 209. The identityprovider 206 can include a plurality of platform adapters 216 tofacilitate platform-specific authentication on different clientplatforms, such as IOS, ANDROID, WINDOWS, and so on.

The service providers 209 provide corresponding services for clientapplications. The services can include, for example, social networkingservices, email services, voice communication services, enterpriseinformation management services, productivity services, game services,and so on. In some examples, one or more of the service providers 209can authenticate users separately from the identity provider 206,thereby giving users the option to log in either with the identityprovider 206 or with the service provider 209 directly.

The service providers 209 and the identity provider 206 can communicatewith the client device 203 over the network 212 by way of hypertexttransfer protocol (HTTP), simple object access protocol (SOAP),representational state transfer (REST), and/or other protocols.

The client device 203 can represent a processor-based system, such as acomputer system, that can be embodied in the form of a desktop computer,a laptop computer, a personal digital assistant, a cellular telephone, asmartphone, a set-top box, a music player, a web pad, a tablet computersystem, a game console, an electronic book reader, or any other devicewith like capability. The client device 203 can include a display 218that includes, for example, one or more devices such as liquid crystaldisplay (LCD) displays or other types of display devices. The clientdevice 203 can also be equipped with networking capability or networkinginterfaces, including a localized networking or communication capabilitysuch as an NFC capability, RFID read and/or write capability, amicrophone and/or speaker, or other localized communication capability.

The client device 203 can execute various applications, such as amanagement application 221, a plurality of client applications 224 a . .. 224N, and other applications, services, or processes. The managementapplication 221 can receive security credentials from a user and toauthenticate with the device management service 204. Upon authenticationwith the device management service 204, the management application 221is able to obtain management credentials 225, which in turn allow theclient applications 224 to request identity assertions from the identityprovider 206 in order to authenticate the client applications 224 withthe respective service providers 209 as will be described. Althoughdescribed as an application, it is understood that the managementapplication 221 can be an integral component of an operating system ofthe client device 203. Also, in some scenarios, the managementcredentials 225 can be provisioned directly to the operating system forall client applications 224 to use. This can be performed under iOSusing either a certificate profile that is installed in a managedcertificate keychain or a combination of a certificate and a Kerberosprofile together. Rather than being stored in the management application221, the management credentials 225 can be stored in the operatingsystem itself in these scenarios. Various access rules 226 can restrictwhich client applications 224 are permitted to use the managementcredentials 225 for authenticating with identity providers 206. Invarious implementations, the access rules 226 can be maintained andenforced by the identity provider 206.

An identity assertion in security assertion markup language (SAML), forexample, contains a packet of security information that serviceproviders 209 use to make access control decisions. SAML supports threetypes of statements: authentication statements, attribute statements,and authorization decision statements. Authentication statements assertto the service provider 209 that the client device 203 authenticatedwith the identity provider 206 at a particular time using a particularmethod of authentication. An attribute statement asserts that a clientdevice 203 is associated with certain attributes. An authorizationdecision statement asserts that a client application 224 is permitted toperform a certain action relative to a resource offered by the serviceprovider 209. Extensible access control markup language (XACML) and/orother languages can be employed.

The client applications 224 correspond to a variety of applications thatare employed to access services provided by the service providers 209.The client applications 224 can include a web view component, wherebythe client applications 224 interact with the service providers 209 toobtain network content by way of hypertext transfer protocol (HTTP)requests and responses. However, unlike a browser that is used to accessvarious web-based applications, cookies set through one clientapplication 224 cannot be accessed by another client application 224.The client applications 224 and the management application 221 canindividually render a respective user interface 227 upon the display218.

Turning now to FIG. 3, shown is a sequence diagram 300 illustrating oneexample of interaction between the client application 224, themanagement application 221, the device management service 204, theservice provider 209, and the identity provider 206. Functionalityattributed to the client application 224, the management application221, the device management service 204, the service provider 209, andthe identity provider 206 can be implemented in a single process orapplication or in multiple processes or applications. The separation orsegmentation of functionality as discussed herein is presented forillustrative purposes only.

Beginning with step 303, the client application 224 sends an accessrequest to the service provider 209. At step 306, the service provider209 sends a redirection back to the client application 224 that causesclient application 224 to redirect the access request to the identityprovider 206. At step 309, the client application 224 sends an identityassertion request to the identity provider 206. At step 312, theidentity provider 206 detects the type of client application 224 and theplatform and responds by requesting authentication by way of amanagement credential 225 for the specific platform. This can correspondto a certificate challenge or a Kerberos challenge. At step 315, theclient application 224 requests the management credential 225 from themanagement application 221.

At step 318, the management application 221 obtains one or more securitycredentials from the user by way of a user interface 227. This step canoccur upon initial launch of the management application 221, with thecredentials being stored in various scenarios locally by the managementapplication 221 or on a cloud server, such as identity data store 215,to provide a single sign-on experience for future accesses. At step 321,the management application 221 sends an authentication request to thedevice management service 204. The authentication request can specifythe security credentials obtained from the user. At step 324, the devicemanagement service 204 sends the management credential 225 to themanagement application 221. At step 327, the management application 221returns the management credential 225 to the client application 224.

At step 330, the client application 224 uses the management credential225 to authenticate with the identity provider 206. The identityprovider 206 returns the identity assertion to the client application224 at step 333. At step 336, the client application 224 provides theidentity assertion to the service provider 209. At step 339, the serviceprovider 209 verifies the identity assertion. The service provider 209generates a session token, such as an OAuth token, and returns thesession token at step 342.

Single sign-on is thereby implemented for subsequent client applications224 or for the client application 224 seeking to authenticate withanother service provider 209. Thus, the process can repeat again for theclient applications 224 a . . . 224N. However, once the user isauthenticated with the management application 221 for the purpose ofauthenticating client application 224 a, the user need not entersecurity credentials again for authenticating client application 224 b,unless perhaps due to inactivity or other events that could cause theidentity of the user to be in question. Steps 315, 318, 321, 324, and327 can be executed during the initial access to the client application224 a, but these steps can subsequently be omitted for access to theclient application 224 b since the management application 221 will havealready obtained the management credential 225. Alternatively, thecredentials can be stored by the management application 221 andautomatically entered at step 318 without user input. During the singlesign-on process, the user interface can remain stable to avoid“flipping” back and forth, making the process seamless to a user.

Moving on to FIG. 4, shown is a flowchart that provides one example ofthe operation of an identity provider 206. As an alternative, theflowchart of FIG. 4 can be viewed as depicting an example of elements ofa method implemented in a computing device. Functionality attributed tothe identity provider 206 can be implemented in a single process orapplication or in multiple processes or applications. The separation orsegmentation of functionality as discussed herein is presented forillustrative purposes only.

Beginning with step 403, the identity provider 206 receives an identityassertion request from a client application 224. The client application224 has been redirected to the identity provider 206 by a serviceprovider 209. The redirection can be performed, for example, by way of ahypertext transfer protocol (HTTP) redirection response having statuscode 302. At step 406, the identity provider 206 in some scenarios candetermine that the client application 224 corresponds to a mobileapplication web view instead of a browser. For example, the clientapplication 224 can send a user-agent string to the identity provider206 within an HTTP request. The user-agent string can identify whetherthe request originates from a specific browser or from a web view of anative application. With a browser, an alternative form of singlesign-on for identity federation can be used, as cookies set by theidentity provider 206 can be accessed by different service providers209. However, with mobile applications using webviews, the cookiescannot be shared among different applications without the use ofspecialized software development kits (SDKs). In some cases, theidentity provider 206 can be configured to deny access if the clientapplication 224 is a browser or an unmanaged application.

At step 407, the identity provider 206 determines a platform of theclient device 203. The identity provider 206 can determine the platformalso by examining the user-agent string of the HTTP request. Forexample, the identity provider 206 can determine that the client device203 corresponds to IOS, ANDROID, WINDOWS, BLACKBERRY, or other platformsbased at least in part on corresponding identifiers contained in theuser-agent string.

At step 408, the identity provider 206 requests authentication bymanagement credential 225 based at least in part on the detectedplatform of the client device 203. Specifically, the identity provider206 can request authentication using a platform-specific managementcredential 225 after querying a table of platforms based at least inpart on information provided by the client device 203. Different typesof security credentials and certificates can be used depending on theplatform of the client device 203. For example, the managementcredential 225 can include a secure certificate, a Kerberos profile, orother credentials. Accordingly, to allow single sign-on from differingplatforms, the platform adapter 216 can request the type of managementcredential 225 that is appropriate for the client device 203 that isrequesting access. For example, when the platform is IOS, a platformadapter 216 corresponding to an IOS-specific certificate adapter orKerberos adapter can be used, such as an esso profile. When the platformis ANDROID, a platform adapter 216 corresponding to a certificateadapter can be used. As additional examples, the OSX operating systemcan use a keychain, and WINDOWS 10 can use account provider credentials.The request for authentication can be performed by returning an HTTPresponse having status code 401, indicating that authorization isrequired. Further, the HTTP response can specifically requestauthentication by a particular protocol, such as the Kerberos protocol,through the use of a management credential 225.

At step 410, the identity provider 206 determines whether the clientdevice 203 corresponds to a managed device. If the client device 203 isa managed device, the authentication of step 408 would completeproperly. If the authentication of step 408 fails, the client device 203can be presumed to be unmanaged. If the client device 203 does notcorrespond to a managed device, the identity provider 206 continues tostep 411. If the client device 203 does correspond to a managed device,the identity provider 206 moves to step 412.

At step 415, the identity provider 206 receives data associated with orgenerated by the management credential 225. At step 418, the identityprovider 206 determines that the presented management credential 225 isvalid for the requested identity assertion. The identity provider 206can verify whether the management credential 225 is permitted to be usedto authenticate specific client applications 224 or for specific serviceproviders 209. At step 421, if the management credential 225 isdetermined to be valid, the identity assertion is generated and sent tothe client application 224. The identity assertion can include securityassertion markup language (SAML), extensible access control markuplanguage (XACML), or other data. Thereafter, the process proceeds tocompletion.

If, instead, the client device 203 is not a managed device, at step 411,the identity provider 206 determines whether the client application 224is permitted to execute on an unmanaged device according to a policy. Ifthe client application 224 is not permitted to execute on an unmanageddevice, the identity provider 206 moves from step 411 to step 424 andblocks the authentication of the client application 224 and anunauthorized message may be returned. Thereafter, the process proceedsto completion.

If the client application 224 is permitted to execute on an unmanageddevice, the identity provider 206 moves from step 411 to step 427, andthe identity provider 206 requests authentication by user-suppliedcredentials, such as a username and password, biometric credentials,multi-factor credentials, and so on. At step 430, the identity provider206 receives and validates the user-supplied credentials from the clientapplication 224. The identity provider then moves to step 421, where theidentity assertion is generated and sent to the client application 224.The identity assertion can include security assertion markup language(SAML), extensible access control markup language (XACML), or otherdata. Thereafter, the process proceeds to completion.

Continuing on to FIG. 5, shown is a flowchart that provides one exampleof the operation of a device management service 204. Functionalityattributed to the device management service 204 can be implemented in asingle process or application or in multiple processes or applications.The separation or segmentation of functionality as discussed herein ispresented for illustrative purposes only.

Beginning with step 501, the device management service 204 receives anenrollment request from a client device 203. For example, a user cannavigate to a certain uniform resource locator (URL) in a browser, themanagement application 221 can be installed on the client device 203,and a user can accept the terms of the enrollment. Then, aplatform-specific management certificate can be sent to the managementapplication 221. The platform-specific management certificate can bereceived within a profile which the client device 203 installs in aprofile store as the management profile.

In step 503, the device management service 204 receives anauthentication request from the management application 221 of the clientdevice 203. The request can specify one or more security credentials,such as usernames, passwords, biometric identification, one-timepasswords, and so on. At step 506, the device management service 204determines that the security credentials that have been presented arevalid. If the security credentials are not valid, an error can begenerated.

At step 509, the device management service 204 sends one or moremanagement credentials 225 to the client device 203. The managementcredentials 225 can be generated by a certificate authoritycorresponding to the device management service 204. The managementcredentials 225 can be employed to create a secure communicationschannel between the device management service 204 and the managementapplication 221 for device management purposes. Thereafter, the processproceeds to completion.

With reference to FIG. 6, shown is a flowchart that provides one exampleof the operation of a management application 221. Functionalityattributed to the management application 221 can be implemented in asingle process or application or in multiple processes or applications.The separation or segmentation of functionality as discussed herein ispresented for illustrative purposes only.

Beginning with step 603, the management application 221 receives asingle sign-on request from a client application 224. For example, theclient application 224 can be prompted to use a management credential225 in order to authenticate with an identity provider 206. At step 606,the management application 221 determines whether the user is alreadyauthenticated. If the user is not already authenticated, the managementapplication 221 moves to step 609 and renders a user interface 227 onthe display 218 that requests one or more security credentials from theuser. At step 612, the management application 221 receives the securitycredentials through the user interface 227. The management application221 continues to step 615. If the user is already authenticated by themanagement application 221, the management application 221 movesdirectly from step 606 to step 615.

At step 615, the management application 221 determines whether theclient application 224 is authorized to receive the managementcredential 225. The management application 221 can make thisdetermination with respect to the access rules 226 or by way ofcommunication with the device management service 204. Examples of accessrules 216 include detecting whether a device is jailbroken, uses apassword of a given length or complexity, is used within a certaingeographic area, has certain applications installed, has certainhardware devices (e.g., a fingerprint reader), and/or other meets othercriteria relevant to the organization for whom the client device 203 ismanaged. If the client application 224 is not authorized, the managementapplication 221 moves to step 618 and rejects the request. Thereafter,the process proceeds to completion.

If the client application 224 is authorized, the management application221 moves to step 621 and determines whether the management credential225 has been cached in the client device 203. If the managementcredential 225 has been cached, the management application 221 loads themanagement credential 225 from the cache at step 624. At step 625, themanagement application 221 provides the management credential 225 to theclient application 224. Thereafter, the process proceeds to completion.

If the management credential 225 has not been cached, the managementapplication 221 moves from step 621 to step 627 and authenticates withthe device management service 204. To this end, the managementapplication 221 can authenticate using the user-supplied credentials ora session or registration token. At step 630, the management application221 sends a request for the management credential 225 to the devicemanagement service 204. At step 633, the management application 221receives the management credential 225 from the device managementservice 204. At step 625, the management application 221 provides themanagement credential 225 to the client application 224. Thereafter, theprocess proceeds to completion.

Turning now to FIG. 7, shown is a flowchart that provides one example ofthe operation of a client application 224. Functionality attributed tothe client application 224 can be implemented in a single process orapplication or in multiple processes or applications. The separation orsegmentation of functionality as discussed herein is presented forillustrative purposes only.

Beginning with step 703, the client application 224 sends an accessrequest to a service provider 209. At step 706, the client application224 receives a redirection to the identity provider 206. The redirectioncan include a hypertext transfer protocol (HTTP) redirection responsehaving status code 302. At step 709, the client application 224 sends anidentity assertion request to the identity provider 206. At step 712,the client application 224 receives a response requesting authenticationby a management credential 225.

At step 715, the client application 224 obtains the managementcredential 225 from the management application 221. To this end, theclient application 224 can send a request by a local uniform resourcelocator (URL) to the management application 221 and can also receive aresponse from the management application 221 by a local URL. The localURL used to invoke the management application 221 can include callbackinformation such as a scheme name corresponding to the clientapplication 224 so that the management application 221 can identify theclient application 224 and return the requested management credential225.

At step 718, the client application 224 sends data associated with orgenerated by the management credential 225 to the identity provider 206.At step 721, the client application 224 receives an identity assertionfrom the identity provider 206. The identity assertion can correspond toa security assertion markup language (SAML) assertion or anotherassertion. At step 724, the client application 224 authenticates withthe service provider 209 using the identity assertion. At step 727, theclient application 224 receives a session token from the serviceprovider 209. For example, the session token can correspond to an OAuthtoken. Subsequently, at step 730, the client application 224 canauthenticate with the service provider 209 to access resources.Thereafter, the process proceeds to completion.

Referring next to FIG. 8, shown is a flowchart that provides one exampleof the operation of a service provider 209. As an alternative, theflowchart of FIG. 8 can be viewed as depicting an example of elements ofa method implemented in a computing device. Functionality attributed tothe service provider 209 can be implemented in a single process orapplication or in multiple processes or applications. The separation orsegmentation of functionality as discussed herein is presented forillustrative purposes only.

Beginning with step 803, the service provider 209 receives an accessrequest from a client application 224. The service provider 209 thencorrelates this access request to the use of the identity provider 206for authentication. At step 806, the service provider 209 sends aredirection response to the client application 224. This can include ahypertext transfer protocol (HTTP) redirection response with status code302. The redirection response can redirect the client application 224 tothe identity provider 206. The redirection response can include securityassertion markup language (SAML) that requests an identity assertion.

At step 809, the service provider 209 receives the identity assertionfrom the client application 224. At step 812, the service provider 209verifies the identity assertion. For example, the identity assertion caninclude an authentication token generated by the identity provider 206,and the service provider 209 can confirm that the authentication tokenis authentic.

At step 815, the service provider 209 generates a session token. At step818, the service provider 209 sets a session cookie including thesession token with the client application 224. At step 821, the serviceprovider 209 provides service access to the client application 224 basedat least in part on the client application 224 presenting the sessiontoken, by way of a uniform resource locator (URL) or session cookie.Thereafter, the process can proceed to completion.

The flowcharts of FIGS. 4-8 and the sequence diagram of FIG. 3 showexamples of the functionality and operation of implementations ofcomponents described herein. The components described herein can beembodied in hardware, software, or a combination of hardware andsoftware. If embodied in software, each element can represent a moduleof code or a portion of code that includes program instructions toimplement the specified logical function(s). The program instructionscan be embodied in the form of, for example, source code that includeshuman-readable statements written in a programming language or machinecode that includes machine instructions recognizable by a suitableexecution system, such as a processor in a computer system or othersystem. If embodied in hardware, each element can represent a circuit ora number of interconnected circuits that implement the specified logicalfunction(s).

Although the flowcharts and sequence diagram show a specific order ofexecution, it is understood that the order of execution can differ fromthat which is shown. For example, the order of execution of two or moreelements can be switched relative to the order shown. Also, two or moreelements shown in succession can be executed concurrently or withpartial concurrence. Further, in some examples, one or more of theelements shown in the flowcharts can be skipped or omitted.

The client device 203, the device management service 204, the identityprovider 206, the service providers 209, or other components describedherein can include at least one processing circuit. Such a processingcircuit can include, for example, one or more processors and one or morestorage devices that are coupled to a local interface. The localinterface can include, for example, a data bus with an accompanyingaddress/control bus or any other suitable bus structure.

The one or more storage devices for a processing circuit can store dataor components that are executable by the one or more processors of theprocessing circuit. For example, the device management service 204, theidentity provider 206, the service providers 209, the managementapplication 221, the client applications 224, and/or other componentscan be stored in one or more storage devices and be executable by one ormore processors. Also, a data store, such as the identity data store 215or the management data store 213 can be stored in the one or morestorage devices.

The identity provider 206, the device management service 204, theservice providers 209, the management application 221, the clientapplications 224, and/or other components described herein can beembodied in the form of hardware, as software components that areexecutable by hardware, or as a combination of software and hardware. Ifembodied as hardware, the components described herein can be implementedas a circuit or state machine that employs any suitable hardwaretechnology. The hardware technology can include, for example, one ormore microprocessors, discrete logic circuits having logic gates forimplementing various logic functions upon an application of one or moredata signals, application specific integrated circuits (ASICs) havingappropriate logic gates, programmable logic devices (e.g.,field-programmable gate array (FPGAs), and complex programmable logicdevices (CPLDs)).

Also, one or more or more of the components described herein thatinclude software or program instructions can be embodied in anynon-transitory computer-readable medium for use by or in connection withan instruction execution system such as, a processor in a computersystem or other system. The computer-readable medium can contain, store,and/or maintain the software or program instructions for use by or inconnection with the instruction execution system.

A computer-readable medium can include a physical media, such as,magnetic, optical, semiconductor, and/or other suitable media. Examplesof a suitable computer-readable media include, but are not limited to,solid-state drives, magnetic drives, or flash memory. Further, any logicor component described herein can be implemented and structured in avariety of ways. For example, one or more components described can beimplemented as modules or components of a single application. Further,one or more components described herein can be executed in one computingdevice or by using multiple computing devices.

It is emphasized that the above-described examples of the presentdisclosure are merely examples of implementations to set forth for aclear understanding of the principles of the disclosure. Many variationsand modifications can be made to the above-described examples withoutdeparting substantially from the spirit and principles of thedisclosure. All such modifications and variations are intended to beincluded herein within the scope of this disclosure.

The invention claimed is:
 1. A non-transitory computer-readable mediumembodying a program executable in a server computing device, theprogram, when executed by the server computing device, being configuredto cause the server computing device to at least: receive a request foran identity assertion from an application executed in a mobile device;detect that the mobile device is associated with a specific platform ofa plurality of platforms; identify a specific platform adaptercorresponding to the specific platform, the specific platform adapterbeing associated with a type of device management credential, the typeof device management credential being a secure certificate or a Kerberosprofile; send, by the specific platform adapter, to the mobile device aresponse to the request requesting a device management credentialcorresponding to the type of device management credential, the responsefurther requesting that the mobile device request authentication usingthe device management credential, the device management credential beingused by a device management application that is executed in the mobiledevice and manages the application; receive, by the specific platformadapter, the requested authentication request including the devicemanagement credential from the mobile device; determine, by the specificplatform adapter, that the device management credential is valid for theidentity assertion; and send the identity assertion to the mobile devicein response to determining that the device management credential isvalid for the identity assertion.
 2. The non-transitorycomputer-readable medium of claim 1, wherein the mobile device hasaccess to the device management credential in response to authenticationby a device management service of a user of the mobile device.
 3. Thenon-transitory computer-readable medium of claim 1, wherein, when thespecific platform is iOS, the request is generated by an iOS-specificcertificate adapter.
 4. The non-transitory computer-readable medium ofclaim 1, wherein, when the specific platform is ANDROID, the request isgenerated by a certificate adapter.
 5. The non-transitorycomputer-readable medium of claim 1, wherein the program, when executedby the server computing device, is further configured to cause theserver computing device to at least: receive a second request for asecond identity assertion from a second application executed in themobile device; send, by the specific platform adapter, to the mobiledevice a second response to the second request requesting the devicemanagement credential based at least in part on the specific platform,the second response further requesting that the mobile device requestauthentication a second time using device management credential;receive, by the specific platform adapter, the requested authenticationrequest for the second time including the device management credentialfrom the mobile device; determine, by the specific platform adapter,that the device management credential is valid for the second identityassertion; and send the second identity assertion to the mobile devicein response to determining that the device management credential isvalid for the second identity assertion.
 6. A system, comprising: atleast one computing device; and an identity provider service executableby the at least one computing device, the identity provider serviceconfigured to cause the at least one computing device to at least:receive a request for an identity assertion from an application executedin a mobile device, the request including a user-agent string; determinethat the application corresponds to a webview of a native applicationrather than a browser by examining the user-agent string; detect thatthe mobile device is associated with a specific platform of a pluralityof platforms; identify a specific platform adapter corresponding to thespecific platform, the specific platform adapter being associated with atype of device management credential, the type of device managementcredential being a secure certificate or a Kerberos profile; send, bythe specific platform adapter, to the mobile device a response to therequest requesting a device management credential corresponding to thetype of device management credential, the response further requestingthat the mobile device request authentication using the devicemanagement credential, the device management credential being used by adevice management application that is executed in the mobile device andmanages the application, the device management credential being a securecertificate or a Kerberos profile; receive, by the specific platformadapter, the requested authentication request including the devicemanagement credential from the mobile device; determine, by the specificplatform adapter, that the device management credential is valid for theidentity assertion; and send the identity assertion to the mobile devicein response to determining that the device management credential isvalid for the identity assertion.
 7. The system of claim 6, wherein themobile device has access to the device management credential in responseto authentication by a device management service of a user of the mobiledevice.
 8. The system of claim 6, wherein the identity provider serviceis further configured to cause the at least one computing device to atleast generate the response to the request by an iOS-specificcertificate adapter.
 9. The system of claim 6, wherein the request forthe identity assertion is redirected to the identity provider servicefrom a service provider.
 10. The system of claim 6, wherein the responseto the request is a hypertext transfer protocol (HTTP) response having a401 authentication required status code.
 11. A method, comprising:receiving a request for an identity assertion from an applicationexecuted in a client device; detecting that the client device isassociated with a specific platform of a plurality of platforms;identifying a specific platform adapter corresponding to the specificplatform, the specific platform adapter being associated with a type ofdevice management credential; sending, by the specific platform adapter,to the client device a response to the request requesting a devicemanagement credential corresponding to the type of device managementcredential, the response further requesting that the client devicerequest authentication using the device management credential, thedevice management credential being a secure certificate or a Kerberosprofile, the device management credential being used by a devicemanagement application that is executed in the client device and managesthe application; receiving, by the specific platform adapter, therequested authentication request including the device managementcredential from the client device; determining, by the specific platformadapter, that the device management credential is valid for the identityassertion; and sending the identity assertion to the client device inresponse to determining that the device management credential is validfor the identity assertion.
 12. The method of claim 11, wherein theclient device has access to the device management credential in responseto authentication by a device management service of a user of the clientdevice.
 13. The method of claim 11, wherein the request for the identityassertion is redirected from a service provider.
 14. The method of claim11, further comprising detecting that the client device complies with aset of access rules.
 15. The method of claim 11, further comprising, inresponse to determining that the specific platform corresponds to iOS,generating the response to the request by an iOS-specific certificateadapter.
 16. The method of claim 11, wherein the identity assertion is asecurity assertion markup language (SAML) assertion.
 17. The method ofclaim 11, wherein the response to the request is a hypertext transferprotocol (HTTP) response having a 401 authentication required statuscode.
 18. The method of claim 11, wherein the response to the request inturn requests Kerberos protocol authentication.
 19. The non-transitorycomputer-readable medium of claim 1, wherein the device managementapplication manages a plurality of applications executed in the mobiledevice.
 20. The method of claim 11, wherein the device managementapplication manages a plurality of applications executed in the clientdevice.